SlideShare a Scribd company logo

Asset Manager’s Guide to SOC 1

Grant Thornton LLP, profile picture
Grant Thornton LLP

The document is a comprehensive guide on SOC 1 (Service Organization Control) reports for asset managers, developed by Grant Thornton in collaboration with multuple firms to ensure adherence to auditing standards. It outlines the responsibilities of both service organizations and auditors, the structure and content of SOC 1 reports, and updates to internal control reporting that aid asset managers in meeting regulatory demands. Key areas of focus include the control environment, operations, and information technology controls to enhance reporting quality across the industry.

Business
Related topics:
Financial Reporting EssentialsOverview of Financial Markets
1 of 17
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
A S S E T M A N AG E M E N T G R O U P ASSET MANAGER’S GUIDE TO SOC 1 APRIL 2015
At Grant Thornton, we help dynamic organizations like yours navigate the complexities of today’s business landscape, ensuring that you can respond to ever-changing regulations and investor demands. We go beyond the traditional compliance and reporting aspects of audit and tax, providing services that offer real value. Visit GrantThornton.com/assetmanagement. SIFMA Asset Management Group (AMG) is the voice for the buy side within the securities industry and the broader financial markets in their respective regions. Collectively, the members of SIFMA AMG represent over $30 trillion of assets under management. The clients of SIFMA AMG member firms include, among others, registered investment companies, state and local government pension funds, universities, pension plans, and similar types of retirement funds and private funds, as well as financial institutions, monetary authorities, central banks, provident funds and sovereign wealth funds outside the U.S.
TABLE OF CONTENTS Executive Summary...........................................................................................................p1 History of Reporting on Internal Controls over Financial Reporting..............p1 overview and Current Landscape................................................................................p2 Service Organization Responsibilities........................................................................p3 Service Auditor Responsibilities..................................................................................p3 Form and Content of SOC 1 Type 1 and Type 2 Reports.................................... p4 Defining the Description of Controls..........................................................................p5 Asset Manager Scope.......................................................................................................p6 Asset Manager Scope: Control Environment..........................................................p6 Asset Manager Scope: Operations..............................................................................p7 Asset Manager Scope: General Computer Controls.............................................P8 Determining the Control Objectives...........................................................................p8 Determining the Control Objectives — Elements of Control Objectives......p9 Baseline Control Objectives.........................................................................................p10 SOC 1 Key Terms............................................................................................................... p12 SOC 1 Guidance Resources.......................................................................................... p12
Asset Manager’s Guide to SOC 1
1 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) EXECUTIVE SUMMARY The Asset Management Group (AMG) of the Securities Industry and Financial Markets Association (SIFMA) has updated the recommended baseline areas of scope and control objectives for asset manager’s service organization controls (SOC) 1 reports. This Asset Manager Guide to SOC 1 reports was developed by Grant Thornton LLP, applying the Asset Manager Guide to Statement on Auditing Standards Number 70 (SAS 70) issued on Oct. 7, 2007, and developed in conjunction with Deloitte & Touche LLP, PricewaterhouseCoopers LLP, Ernst & Young LLP, KPMG LLP, and AICPA guidelines: Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization (effective as of July 15, 2011) and AICPA’s Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting guide (updated as of May 1, 2013). The current updates are meant to provide the following: • History of reporting on internal controls over financial reporting • An overview and current landscape of SOC 1 • Global trends • Guidance for developing an asset manager’s description of the system, including the control environment, baseline areas of scope and control objectives These recommended asset manager baseline areas of scope and control objectives within this guide include asset management operations and IT general computer controls. The baseline areas were developed to improve the quality and consistency of reporting for the industry. This document is meant to serve as a guide to defining the scope of a SOC 1, and is not a substitute for the guidelines defined in the AICPA’s attestation standards and reporting guides. HISTORY OF REPORTING ON INTERNAL CONTROLS OVER FINANCIAL REPORTING SAS 70 was originally issued by AICPA in April 1992, with the goal of providing a detailed guide for an audit of the controls at a service organization related to financial statement reporting. The requirements and guidance for both service auditors reporting on controls at a service organization and user auditors auditing the financial statements of a user entity were contained in AU Section 324. In 2010, the Auditing Standards Board issued SSAE 16, Reporting on Controls at a Service Organization, which was codified in the attestation standard (AT) 801. SSAE 16 included the requirements and guidance for service auditors only. The requirements and guidance for user auditors remained in AU Section 324. In May 2011, the following AICPA guide was issued: Service Organizations: Applying SSAE 16, Reporting on Controls at a Service Organization (SOC 1) but was not conformed to the clarified auditing standard. In addition, in May 2013, the following AICPA guide was issued: Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.
2 ASSET MANAGEMENT GROUP OVERVIEW AND CURRENT LANDSCAPE AICPA has applied the SOC 1 name to what was previously referred to as a SAS 70 report. SOC 1 reports retain the original purpose of SAS 70 reports in that they provide a vehicle for reporting on a service organization’s system of internal controls that is relevant to internal controls over financial reporting of a user organization. SOC 1 reports are primarily intended to be auditor-to-auditor communications just like SAS 70 reports were. SOC 1 reports help firms demonstrate that they have appropriate internal controls over financial reporting and are typically requested by the customers of asset managers, such as pension funds and mutual funds. In addition, asset managers utilize SOC 1 reports to meet client requests; help support numerous regulatory requirements; and when acting as fiduciaries for their clients, demonstrate that they have sound financial controls and safeguards, particularly around areas of operations and IT. The following should be considered by asset managers as part of the SOC 1 reports: • Sarbanes-Oxley legislation does not mandate the issuance of the SOC 1 report; however, Sections 302 and 404, in particular, have increased the awareness and scrutiny of the design and operating effectiveness of internal controls. • Recent industry and regulatory events are requiring greater awareness over the control environment and controls in place to manage risk and adopt new compliance procedures (i.e., Title IV of the Dodd-Frank Wall Street Reform and Consumer Protection Act). • An increasing number of organizations are outsourcing key components of their operations such as the IT, fund accounting, and custodian functions. • Increased expectations of asset managers to have a SOC 1 examination and, in some cases, other reports based on various attestation standards (AT 101, AT 601, etc.) are being completed for competitive advantage. GLOBAL TRENDS As organizations expand where they do business and with whom, the need to obtain assurance over controls has become a global issue. The International Accounting and Auditing Standards Board developed a global standard for service organizations, International Standard on Assurance Engagements (ISAE) 3402. ISAE 3402 can often be issued with minimal effort if a SOC 1 is already being performed. If the service organization and user organization are domiciled in the same country then consider using the local standard. If the service organization and/or the user organization are domiciled in different countries then consider using international standards. The service organization should consult with their user organizations to determine what standards will be appropriate.
3 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) SERVICE ORGANIZATION RESPONSIBILITIES PRIMARY RESPONSIBILITIES: • Defining the scope of the engagement (i.g., services, functional areas, application systems) • Determining the type of engagement to be performed (Type 1 or Type 2) • Determining “as of date” for a Type 1 or the period to be covered by the report for a Type 2 • Determining whether the functions and related controls of any subservice organizations will be included or “carved out” of (i.e., excluded from) the description • Selecting the criteria for the description of the system • Preparing a description of controls that is fairly presented (complete and accurate), including disclosing significant changes in controls in the description of controls since the later of the date of the last report or within the last 12 months • Preparing management’s written assertion • Identifying control objectives (unless established by a third party) • Assessing the design and operating effectiveness of internal controls and include a complete and accurate description of control activities • Identifying complementary controls (i.e., “user controls”) that a user organization should have in place • Including “other information” provided (i.g., business continuity planning), if applicable • Disclosing any fraud, illegal acts, or uncorrected errors; design deficiencies in controls; test of operating effectiveness deficiencies; and subsequent events in which management is aware that would have a significant effect on a user organization • Tailoring and obtaining appropriate signatures on management’s representation letter • Reviewing and editing the final draft of the SOC 1 report • Controlling the distribution of the SOC 1 report SECONDARY RESPONSIBILITIES: • Identify project coordinator and key contacts • Assist the service auditor in determining logistical requirements for testing such as access to system(s), reports and documentation SERVICE AUDITOR RESPONSIBILITIES PRIMARY RESPONSIBILITIES: • Planning • Obtaining and evaluating evidence about whether the description of the service organization’s system is fairly presented • Evaluating whether control objectives relate to internal controls over financial reporting
4 ASSET MANAGEMENT GROUP • Obtaining and evaluating evidence regarding the suitability of the design of the controls • Obtaining and evaluating evidence regarding the operating effectiveness of controls in a Type 2 engagement • Determining which controls to test • Designing and performing tests of controls • Using the work of the internal audit function, if applicable • Evaluating the results of the tests of controls • Describing tests of controls and the results of tests • Performing procedures to address complementary controls that a user organization should have in place • Disclaiming an opinion on “other information” provided by the service organization, if applicable • Performing procedures to address any instances of fraud, illegal acts or uncorrected errors; design deficiencies in controls; test operating effectiveness deficiencies; and subsequent events in which management makes the service auditor aware that would have a significant effect on a user organization • Preparing the Service Auditor’s Report (the opinion) • Obtaining written representations SECONDARY RESPONSIBILITIES: • Meet with service organization to finalize scope, specific objectives to be accomplished by examination, and responsibilities, and schedule field work • Finalize engagement work plan and schedule staff • Discuss findings and recommendations with the service organization FORM AND CONTENT OF SOC 1 TYPE 1 AND TYPE 2 REPORTS There is no rigid standard proposed by AICPA guidance with regards to the organization of a SOC 1 report; however, leading practices indicate that the report should be organized as follows: Section 1 Independent Service Auditor’s Report (the opinion). Section 2 Management’s assertion and, if applicable, a subservice organization’s management assertion. Section 3 Management’s description of the service organization’s system. Section 4 Management’s control objectives and control activities. Type 2 reports also include the independent service auditor’s tests of controls and results of tests. Section 5 Other information provided by the service organization. This is an optional section and the service auditor does not opine on such information. Content typically includes information related to the service organization’s disaster recovery plan, compliance with other regulatory standards or management responses to testing exceptions.
5 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) SOC 1 Type 1 SOC 1 Type 2 Reports on controls placed in operation Reports on controls placed in operation and tests of operating effectiveness • Report is as of a point in time (e.g., as of 12/31/201X) • Opinion rendered related to the fair presentation of the description • Opinion rendered related to the suitability of the design of the controls • No opinion rendered related to the operating effectiveness of the controls • Not considered useful for purposes of reliance by user auditors • Not used as a basis for reducing the assessment of the control risk below the maximum • Generally performed for the first year a service organization pursues a SOC 1 report • Report covers a period of time, generally between six and 12 months • Opinion rendered related to the fair presentation of the description • Opinion rendered related to the suitability of the design of the controls • Opinion rendered related to the operating effectiveness of the controls • May provide user auditors with a basis for reducing assessment of control risk below the maximum • Requires more internal and external effort • Identifies instances of noncompliance of the stated control activity For additional guidance regarding the Independent Service Auditor Reports for Type 1 and Type 2 reports, see the following: Guide for Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (2013) – Chapter 2 DEFINING THE DESCRIPTION OF CONTROLS The service auditor can assist in writing the description of controls; however, the service organization must take responsibility for the completeness, accuracy and method of presentation. The description should provide information about the service organization’s internal control that is relevant to the user organization’s internal control over financial reporting. At a minimum, the description of controls should include the following: • Aspects of the service organization’s control environment, risk assessment, information and communication and monitoring that may affect the services provided to the user organization as it relates to an audit of financial statements • Control objectives, related controls, and user control considerations pertaining to operations and general computer controls • Changes to the controls since the later of the date of the last report or within the last 12 months
6 ASSET MANAGEMENT GROUP ASSET MANAGER SCOPE Areas relevant to an asset manager are categorized as one of the following as it relates to the scope of an asset manager SOC 1: Baseline: This area is relevant to a user organization’s internal control as it relates to internal controls over financial reporting and is common to the scope of SOC 1 issued by asset managers. Not Baseline: This area is not relevant to a user organization’s internal control as it relates to internal controls over financial reporting and is not common to the scope of SOC 1 issued by asset managers. Other Area to Consider: This area is not common to the scope of SOC 1 issued by asset managers, but may be considered for inclusion in scope. “Baseline” areas, “Not Baseline” areas, and “Other Areas to Consider” for an asset manager SOC 1 are depicted on the following pages as it relates to: • Control environment • Operations • General computer controls ASSET MANAGER SCOPE: CONTROL ENVIRONMENT Baseline Not Baseline • Integrity and ethical values • Commitment to competence • Board of directors or audit committee participation • Management philosophy and operating style • Organizational structure • Assignment of authority and responsibility • HR policies and procedures • Risk assessment • Information and communication • Monitoring Privacy Policies and Procedures In General: • The Control Environment is the foundation for all other aspects of internal control and, therefore, it is essential that the service organization describe the appropriate information in the description of controls based on what is relevant to the user organizations. • The service auditor is also responsible for evaluating/ testing the information included in the control environment description. • Management is not precluded from presenting relevant aspects of its control environment in the form of a control objective with applicable controls listed.
7 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) ASSET MANAGER SCOPE: OPERATIONS Baseline Not Baseline/Other Areas to Consider • New Account Set Up and Account Maintenance • New Security Set Up and Maintenance • Contributions / Distributions • Trading -- Trade Processing -- Client Investment Guideline and Restriction Compliance -- Trade Allocation -- Trade Error and Investment Guideline Breaches -- Trade Settlement Procedures • Investment Income • Valuation (Securities, Foreign Exchange Rates, and Derivatives) • Corporate Actions • Reconciliation (Cash and Position) • Client Reporting Not Baseline • Investment Adviser Registration, Form ADV, and Delivery Requirements Policies and Procedures • Section 13 filings under the Securities Exchange Act of 1934 Policies and Procedures • Advertising and Marketing Investment Services • Insider Trading • Portfolio Pumping and Window Dressing • Client Complaint Processing • Product Development • Cross Trading • Managing Proprietary Accounts • Cash Referral Fee Agreement • Account Performance • Laws and Regulations • IRS Rules Other Areas to Consider • Fee Calculation and Billing • Custody or Possession of Client Assets (depends on if applicable) • Brokerage Allocation (includes Best Execution, Affiliated Trading, Soft Dollars, Directed Brokerage and IPO or New Issues Allocation) • Broker Selection and Retention • Trading Aggregation • Proxy Voting • Personal Trading • AML Review
8 ASSET MANAGEMENT GROUP ASSET MANAGER SCOPE: GENERAL COMPUTER CONTROLS Baseline Not Baseline • Information Systems Operations -- Job scheduling -- Record backup -- Incident management • Information Security -- Logical security -- Physical security -- Environmental protection • Change Management -- Application changes -- System software changes -- Network changes -- Hardware changes Businesses Continuity Planning or Disaster Recovery* * Note: In accordance with AICPA guidance, a service auditor cannot form an opinion on the design of controls or operating effectiveness over business conti- nuity planning or disaster recovery. DETERMINING THE CONTROL OBJECTIVES • The control objectives should be determined by the service organization, while taking into consideration the needs of the service organization’s users and internal control over financial reporting. However, the service auditor may assist the service organization with defining appropriate control objectives in the following ways: -- By providing examples of control objectives that may be relevant to user organizations as it relates to internal controls over financial reporting -- By reviewing draft control objectives and providing feedback as to their appropriateness and adequacy • The control objectives may be designated by the service organization or outside parties such as regulatory authorities, a user group or others. • If the control objectives are incomplete, the service auditor may qualify the SOC 1 report. • Control objectives help the user auditor determine how the service organization’s controls affect the user organization’s financial statement assertions (i.e., validity, completeness, cutoff, recording, valuation and presentation). • The service organization should establish control objectives that it believes relate to its users’ financial statement assertions and provide a framework for the user auditors to assess control risk as a whole. • The service organization can modify control objectives after the start of the engagement (may need to disclose this in the report in an explanatory paragraph). However, the service organization cannot modify a control objective to “get out” of a control objective, which would be considered significant by user organizations and their auditors, or if there is a significant deficiency in either the design or operating effectiveness of the controls.
9 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) DETERMINING THE CONTROL OBJECTIVES — ELEMENTS OF CONTROL OBJECTIVES The following categories may assist in considering each element within the control objectives that would affect the user organization’s financial statement assertions as defined in AU Section 326: Assertions in a User Organization’s Financial Statements Potential Errors Existence or occurrence • Potential existence or occurrence errors relate to (1) assets, liabilities and ownership interests existence as of the statement date and balances that have a real-world counterpart (i.e., customers, suppliers, employees, banks); (2) access to assets and critical documents that control their movement are suitably restricted to authorized personnel; or (3) transactions and events that have been recorded actually occurred and pertain to the entity. Completeness • Potential completeness errors relate to (1) all transactions and events that should have been recorded have been recorded, and (2) transactions and events have been recorded in the proper period. Rights and obligations • Potential rights and obligations errors relate to (1) the entity holds the rights to the assets, (2) transactions are executed in accordance with management’s general and specific authority, and (3) liabilities recorded are the obligation of the entity. Valuation or allocation • Potential valuation or allocation errors relate to (1) amounts based on estimates and judgments are in accordance with U.S. GAAP, (2) costs are allocated from the balance sheet to the income statement in the proper period, or (3) amounts recorded are mathematically accurate. Presentation and disclosure • Potential presentation and disclosure errors relate to (1) transactions and events recorded in the proper accounts, and (2) disclosure-driven financial information is appropriately described and understandable to users.
10 ASSET MANAGEMENT GROUP BASELINE CONTROL OBJECTIVES Area Baseline Control Objectives New Account Setup and Maintenance Controls provide reasonable assurance that documentation for the opening and modification of client accounts is received, authenticated, and established accurately, completely, and in a timely manner on the applicable system. Trading/Settlement • Allocation • Processing • Settlement Controls provide reasonable assurance that trades are properly authorized, settled, and recorded in accordance with portfolio guidelines and relevant account restrictions, accurately, completely, and in a timely manner in the client account. Controls provide reasonable assurance that block orders are allocated to client accounts according to management established methodologies, and allocations are approved by management. Contributions/Distributions Controls provide reasonable assurance that contributions and distributions are authorized by the client and processed and recorded accurately, completely, and in a timely manner in the client account. New Security Setup and Maintenance Controls provide reasonable assurance that new securities and changes to existing securities are authorized and processed accurately, completely, and in a timely manner. Valuation (Securities, Foreign Exchange Rates, and Derivatives) Controls provide reasonable assurance that valuation, including securities, foreign exchange rates, and derivatives, is received from an authorized source and updated accurately, completely, and in a timely manner. Investment Income Controls provide reasonable assurance that interest and dividend income information is received from an authorized source and processed accurately, completely, and in a timely manner in the client account. Corporate Actions Controls provide reasonable assurance that corporate actions are received from an authorized source and processed accurately, completely, and in a timely manner in the client account. Reconciliation Controls provide reasonable assurance that cash and security positions reflected in the portfolio accounting system reconcile to actual positions and balances held by custodians, and discrepancies are identified, researched, and resolved in a timely manner.
11 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) Area Baseline Control Objectives Client Reporting Controls provide reasonable assurance that account statements reflect the correct holdings and market value and are provided to clients in a complete and timely manner. Information System Operations Controls provide reasonable assurance that production programs needed to process batch and online transactions are valid and executed and monitored timely and to normal completion. Controls provide reasonable assurance that data is backed up, retained and retrievable. Controls provide reasonable assurance that processing incidents are identified, tracked, recorded, and resolved accurately, completely, and in a timely manner. Information System Security Controls provide reasonable assurance that logical security tools and tech- niques are configured, administered, and monitored to enable restriction of access to programs, data, and other information resources. Controls provide reasonable assurance that physical access restrictions are implemented and administered to ensure that only authorized individuals have ability to access or use information resources. Controls provide reasonable assurance that information resources are protected against environmental hazards and related damage. Information System Change Management Modifications and upgrades to applications, the network, hardware, and systems software are authorized, approved by management, tested, and imple- mented accurately, completely, and in a timely manner.
12 ASSET MANAGEMENT GROUP SOC 1 KEY TERMS User Organization The entity that has engaged a service organization and whose financial state- ments are being audited. User Auditor The auditor who reports on the financial statements of the user organization. Service Organization The entity (or segment of an entity) that provides services to the user organiza- tion that is part of the user organization’s information system. Service Auditor The auditor who reports on controls of a service organization that may be rele- vant to a user organization’s internal control as it relates to an audit of financial statements. Subservice Organization An entity that performs functions or processing for the service organization that may be part of the user organization’s information system as it relates to an audit of financial statements. Inclusive Method of Reporting Method of reporting that allows the description of controls to include controls in place at the subservice organizations. Carve-out Method of Reporting Method of reporting that does not allow the description of controls to include controls in place at the subservice organizations. SOC 1 GUIDANCE RESOURCES AICPA LITERATURE — AUDIT AND ACCOUNTING GUIDES: Service organizations: applying SSAE 16: • Issued in 2011 and most recently updated in 2013 • Based on the professional standards for performing a SOC 1 (AT 801) • Prepared by the AICPA SOC Task Force • Useful when preparing and/or utilizing a SOC 1 report • Provides guidance in applying generally accepted auditing standards in audits of financial statements of entities that use service organizations and in service auditors’ engagements • Information provided could be used to help determine the relevant business activities/control objectives to include in SOC 1 Industry guides: • Various industry guides published by AICPA, including employee benefits, investment companies, and brokers and dealers SEC LITERATURE — NEW SEC RULES, REPORTS AND STUDIES SEC’s Management Report on Internal Controls over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports
WWW.SIFMA.ORG

More Related Content

PPTX
Service Organizational Control (SOC 2) Compliance - Kloudlearn
KloudLearn
 
PDF
Esteganografia
Isaac Marinho
 
PDF
SOC 1 Overview
Schellman & Company
 
PDF
How to use ChatGPT for an ISMS implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
PDF
SOC 2 and You
Schellman & Company
 
PPTX
Osio guidance personnel
Youise Saculo
 
PDF
Strategic ways to pursue unrelated business income
Grant Thornton LLP
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
KloudLearn
 
Esteganografia
Isaac Marinho
 
SOC 1 Overview
Schellman & Company
 
How to use ChatGPT for an ISMS implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
SOC 2 and You
Schellman & Company
 
Osio guidance personnel
Youise Saculo
 
Strategic ways to pursue unrelated business income
Grant Thornton LLP
 

Viewers also liked (20)

PDF
Compliance implications of crossing the $10 billion asset threshold
Grant Thornton LLP
 
PDF
SALT energy savings
Grant Thornton LLP
 
PDF
Enhancing the strategic value of the finance function
Grant Thornton LLP
 
PDF
Blend instinct and solid data for overseas investment decisions
Grant Thornton LLP
 
PDF
Evaluating an M&A strategy to expand impact and enhance outcomes
Grant Thornton LLP
 
PDF
Financial executive compensation survey 2015
Grant Thornton LLP
 
PDF
Case Study: How to cope with a spearfishing cyber attack
Grant Thornton LLP
 
PDF
CAEs speak out: Cybersecurity seen as key threat to growth
Grant Thornton LLP
 
PDF
Is the cloud right for your business?
Grant Thornton LLP
 
PDF
Corporate counsel & the burden of the regulatory environment
Grant Thornton LLP
 
PDF
Data Security: A field guide for franchisors
Grant Thornton LLP
 
PDF
2015 Corporate general counsel survey results
Grant Thornton LLP
 
PDF
FASB changes to the nonprofit financial reporting model
Grant Thornton LLP
 
PDF
CCAR and stress-testing segmentation insights
Grant Thornton LLP
 
PDF
Lessons in collaborating for public health
Grant Thornton LLP
 
PDF
12 ways to enhance financial performance
Grant Thornton LLP
 
PDF
2016 SEC & FINRA exam priorities for asset managers
Grant Thornton LLP
 
PDF
For effective governance, boards must set a stronger tone
Grant Thornton LLP
 
PDF
After the acquisition: 5 steps to manage the tax process
Grant Thornton LLP
 
PDF
For digital media companies, effective cybersecurity programs a must
Grant Thornton LLP
 
Compliance implications of crossing the $10 billion asset threshold
Grant Thornton LLP
 
SALT energy savings
Grant Thornton LLP
 
Enhancing the strategic value of the finance function
Grant Thornton LLP
 
Blend instinct and solid data for overseas investment decisions
Grant Thornton LLP
 
Evaluating an M&A strategy to expand impact and enhance outcomes
Grant Thornton LLP
 
Financial executive compensation survey 2015
Grant Thornton LLP
 
Case Study: How to cope with a spearfishing cyber attack
Grant Thornton LLP
 
CAEs speak out: Cybersecurity seen as key threat to growth
Grant Thornton LLP
 
Is the cloud right for your business?
Grant Thornton LLP
 
Corporate counsel & the burden of the regulatory environment
Grant Thornton LLP
 
Data Security: A field guide for franchisors
Grant Thornton LLP
 
2015 Corporate general counsel survey results
Grant Thornton LLP
 
FASB changes to the nonprofit financial reporting model
Grant Thornton LLP
 
CCAR and stress-testing segmentation insights
Grant Thornton LLP
 
Lessons in collaborating for public health
Grant Thornton LLP
 
12 ways to enhance financial performance
Grant Thornton LLP
 
2016 SEC & FINRA exam priorities for asset managers
Grant Thornton LLP
 
For effective governance, boards must set a stronger tone
Grant Thornton LLP
 
After the acquisition: 5 steps to manage the tax process
Grant Thornton LLP
 
For digital media companies, effective cybersecurity programs a must
Grant Thornton LLP
 
Ad

Similar to Asset Manager’s Guide to SOC 1 (20)

PDF
SSAE 16 Transitions Overview
Jeffrey Paulette
 
PPTX
Account Right SOC Services brochure.pptx
GaneshMeenakshiSunda4
 
PDF
CISSP Domain 06 Security Assessment and Testing.pdf
gealehegn
 
PPTX
Auditor Reporting on Controls at Service Organizations
University of Waterloo
 
PPTX
Due dilligence on a cpa firm or other accounting services provdier
aBIZinaBOX Inc - CPA's - Financial Advisory, Taxation, Predictive Analytics & Technology
 
PPTX
BKMSH Basics of SOC II
MojoFinancial
 
PPTX
Auditor Report on Controls to be used as Template.pptx
aramaky
 
PPTX
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
PDF
SOC 2: Build Trust and Confidence
Schellman & Company
 
PDF
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
NAFCU Services Corporation
 
PDF
SOC 2/SOC 3 Whitepaper
DTIMMERMAN
 
PDF
Global Soc Whitepaper Be
Gilles Dufrane
 
PDF
Global Soc Whitepaper Be
Peter Grossen
 
PDF
Global Soc Whitepaper Be
alaindhoe
 
PDF
The Retirement Of Sas 70 Article
DTIMMERMAN
 
PPTX
SOC2loc_finalCompliance_-Checklist (2).pptx
lochanbharadwaj
 
DOCX
Why should I do SOC2?
VISTA InfoSec
 
PDF
Planning for a new Service Organization Control (SOC) report
Jay Crossland
 
PPTX
Moss Adams SSAE 16 SOC Audits
AISDC
 
PDF
Evaluating Service Organization Control Reports
Jay Crossland
 
SSAE 16 Transitions Overview
Jeffrey Paulette
 
Account Right SOC Services brochure.pptx
GaneshMeenakshiSunda4
 
CISSP Domain 06 Security Assessment and Testing.pdf
gealehegn
 
Auditor Reporting on Controls at Service Organizations
University of Waterloo
 
Due dilligence on a cpa firm or other accounting services provdier
aBIZinaBOX Inc - CPA's - Financial Advisory, Taxation, Predictive Analytics & Technology
 
BKMSH Basics of SOC II
MojoFinancial
 
Auditor Report on Controls to be used as Template.pptx
aramaky
 
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
SOC 2: Build Trust and Confidence
Schellman & Company
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
NAFCU Services Corporation
 
SOC 2/SOC 3 Whitepaper
DTIMMERMAN
 
Global Soc Whitepaper Be
Gilles Dufrane
 
Global Soc Whitepaper Be
Peter Grossen
 
Global Soc Whitepaper Be
alaindhoe
 
The Retirement Of Sas 70 Article
DTIMMERMAN
 
SOC2loc_finalCompliance_-Checklist (2).pptx
lochanbharadwaj
 
Why should I do SOC2?
VISTA InfoSec
 
Planning for a new Service Organization Control (SOC) report
Jay Crossland
 
Moss Adams SSAE 16 SOC Audits
AISDC
 
Evaluating Service Organization Control Reports
Jay Crossland
 
Ad

More from Grant Thornton LLP (20)

PDF
GT Events and Programs Guide February/March 2019
Grant Thornton LLP
 
PDF
GT Events and Programs Guide December/January 2019
Grant Thornton LLP
 
PDF
GT Events and Programs Guide
Grant Thornton LLP
 
PDF
GT Events & Program Guide: ForwardThinking October/November 2017
Grant Thornton LLP
 
PPTX
Real Estate Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
PPTX
Asset Management Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
PPTX
Technology Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
PPTX
Banking Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
PDF
GT Events & Program Guide: ForwardThinking August/September 2017
Grant Thornton LLP
 
PPTX
Why prepare now? 5 things that smart businesses are doing TODAY to prepare fo...
Grant Thornton LLP
 
PDF
ForwardThinking June/July 2017 Grant Thornton
Grant Thornton LLP
 
PPTX
10 social media tips for nonprofits to further engagement
Grant Thornton LLP
 
PDF
The Future of Growth and Industries Webcast Series: Trends to watch for 2020
Grant Thornton LLP
 
PDF
ForwardThinking April/May 2017 Grant Thornton
Grant Thornton LLP
 
PDF
The Future of Industry: Sector Convergence & 2017 Outlook
Grant Thornton LLP
 
PDF
ForwardThinking Q1 2017
Grant Thornton LLP
 
PPTX
DOL fiduciary rule: How it affects the insurance industry
Grant Thornton LLP
 
PPTX
Tightening pressure transforms the landscape: The state of asset management
Grant Thornton LLP
 
PDF
Challenges facing a new administration
Grant Thornton LLP
 
PDF
Impact of voter turnout in U.S. elections
Grant Thornton LLP
 
GT Events and Programs Guide February/March 2019
Grant Thornton LLP
 
GT Events and Programs Guide December/January 2019
Grant Thornton LLP
 
GT Events and Programs Guide
Grant Thornton LLP
 
GT Events & Program Guide: ForwardThinking October/November 2017
Grant Thornton LLP
 
Real Estate Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
Asset Management Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
Technology Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
Banking Industry Success: Build, Transform and Protect Value into 2020
Grant Thornton LLP
 
GT Events & Program Guide: ForwardThinking August/September 2017
Grant Thornton LLP
 
Why prepare now? 5 things that smart businesses are doing TODAY to prepare fo...
Grant Thornton LLP
 
ForwardThinking June/July 2017 Grant Thornton
Grant Thornton LLP
 
10 social media tips for nonprofits to further engagement
Grant Thornton LLP
 
The Future of Growth and Industries Webcast Series: Trends to watch for 2020
Grant Thornton LLP
 
ForwardThinking April/May 2017 Grant Thornton
Grant Thornton LLP
 
The Future of Industry: Sector Convergence & 2017 Outlook
Grant Thornton LLP
 
ForwardThinking Q1 2017
Grant Thornton LLP
 
DOL fiduciary rule: How it affects the insurance industry
Grant Thornton LLP
 
Tightening pressure transforms the landscape: The state of asset management
Grant Thornton LLP
 
Challenges facing a new administration
Grant Thornton LLP
 
Impact of voter turnout in U.S. elections
Grant Thornton LLP
 

Recently uploaded (20)

PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PDF
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
PDF
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
PPT
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PDF
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
PDF
Family Law: The Role of Communication in Mediation (www.kiu.ac.ug)
publication11
 
PDF
TyAnn Osborn: A Visionary Leader Shaping Corporate Workforce Dynamics
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PPTX
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
PPTX
DMT - Profile Brief About Business .pptx
AkhileshKumar724847
 
PDF
How to Get Business Funding for Small Business Fast
Jake Thornhill
 
PDF
Comments on Crystal Cloud and Energy Star.pdf
Brij Consulting, LLC
 
PPTX
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
PDF
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
PDF
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
PDF
Keppel_Proposed Divestment of M1 Limited
KeppelCorporation
 
PDF
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
PDF
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
PDF
Cours de Système d'information about ERP.pdf
pha nguyen
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
Chapter four Project-Preparation material
argachewbochena1
 
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
Family Law: The Role of Communication in Mediation (www.kiu.ac.ug)
publication11
 
TyAnn Osborn: A Visionary Leader Shaping Corporate Workforce Dynamics
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
DMT - Profile Brief About Business .pptx
AkhileshKumar724847
 
How to Get Business Funding for Small Business Fast
Jake Thornhill
 
Comments on Crystal Cloud and Energy Star.pdf
Brij Consulting, LLC
 
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
Keppel_Proposed Divestment of M1 Limited
KeppelCorporation
 
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
Cours de Système d'information about ERP.pdf
pha nguyen
 

Asset Manager’s Guide to SOC 1

  • 1. A S S E T M A N AG E M E N T G R O U P ASSET MANAGER’S GUIDE TO SOC 1 APRIL 2015
  • 2. At Grant Thornton, we help dynamic organizations like yours navigate the complexities of today’s business landscape, ensuring that you can respond to ever-changing regulations and investor demands. We go beyond the traditional compliance and reporting aspects of audit and tax, providing services that offer real value. Visit GrantThornton.com/assetmanagement. SIFMA Asset Management Group (AMG) is the voice for the buy side within the securities industry and the broader financial markets in their respective regions. Collectively, the members of SIFMA AMG represent over $30 trillion of assets under management. The clients of SIFMA AMG member firms include, among others, registered investment companies, state and local government pension funds, universities, pension plans, and similar types of retirement funds and private funds, as well as financial institutions, monetary authorities, central banks, provident funds and sovereign wealth funds outside the U.S.
  • 3. TABLE OF CONTENTS Executive Summary...........................................................................................................p1 History of Reporting on Internal Controls over Financial Reporting..............p1 overview and Current Landscape................................................................................p2 Service Organization Responsibilities........................................................................p3 Service Auditor Responsibilities..................................................................................p3 Form and Content of SOC 1 Type 1 and Type 2 Reports.................................... p4 Defining the Description of Controls..........................................................................p5 Asset Manager Scope.......................................................................................................p6 Asset Manager Scope: Control Environment..........................................................p6 Asset Manager Scope: Operations..............................................................................p7 Asset Manager Scope: General Computer Controls.............................................P8 Determining the Control Objectives...........................................................................p8 Determining the Control Objectives — Elements of Control Objectives......p9 Baseline Control Objectives.........................................................................................p10 SOC 1 Key Terms............................................................................................................... p12 SOC 1 Guidance Resources.......................................................................................... p12
  • 5. 1 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) EXECUTIVE SUMMARY The Asset Management Group (AMG) of the Securities Industry and Financial Markets Association (SIFMA) has updated the recommended baseline areas of scope and control objectives for asset manager’s service organization controls (SOC) 1 reports. This Asset Manager Guide to SOC 1 reports was developed by Grant Thornton LLP, applying the Asset Manager Guide to Statement on Auditing Standards Number 70 (SAS 70) issued on Oct. 7, 2007, and developed in conjunction with Deloitte & Touche LLP, PricewaterhouseCoopers LLP, Ernst & Young LLP, KPMG LLP, and AICPA guidelines: Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization (effective as of July 15, 2011) and AICPA’s Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting guide (updated as of May 1, 2013). The current updates are meant to provide the following: • History of reporting on internal controls over financial reporting • An overview and current landscape of SOC 1 • Global trends • Guidance for developing an asset manager’s description of the system, including the control environment, baseline areas of scope and control objectives These recommended asset manager baseline areas of scope and control objectives within this guide include asset management operations and IT general computer controls. The baseline areas were developed to improve the quality and consistency of reporting for the industry. This document is meant to serve as a guide to defining the scope of a SOC 1, and is not a substitute for the guidelines defined in the AICPA’s attestation standards and reporting guides. HISTORY OF REPORTING ON INTERNAL CONTROLS OVER FINANCIAL REPORTING SAS 70 was originally issued by AICPA in April 1992, with the goal of providing a detailed guide for an audit of the controls at a service organization related to financial statement reporting. The requirements and guidance for both service auditors reporting on controls at a service organization and user auditors auditing the financial statements of a user entity were contained in AU Section 324. In 2010, the Auditing Standards Board issued SSAE 16, Reporting on Controls at a Service Organization, which was codified in the attestation standard (AT) 801. SSAE 16 included the requirements and guidance for service auditors only. The requirements and guidance for user auditors remained in AU Section 324. In May 2011, the following AICPA guide was issued: Service Organizations: Applying SSAE 16, Reporting on Controls at a Service Organization (SOC 1) but was not conformed to the clarified auditing standard. In addition, in May 2013, the following AICPA guide was issued: Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.
  • 6. 2 ASSET MANAGEMENT GROUP OVERVIEW AND CURRENT LANDSCAPE AICPA has applied the SOC 1 name to what was previously referred to as a SAS 70 report. SOC 1 reports retain the original purpose of SAS 70 reports in that they provide a vehicle for reporting on a service organization’s system of internal controls that is relevant to internal controls over financial reporting of a user organization. SOC 1 reports are primarily intended to be auditor-to-auditor communications just like SAS 70 reports were. SOC 1 reports help firms demonstrate that they have appropriate internal controls over financial reporting and are typically requested by the customers of asset managers, such as pension funds and mutual funds. In addition, asset managers utilize SOC 1 reports to meet client requests; help support numerous regulatory requirements; and when acting as fiduciaries for their clients, demonstrate that they have sound financial controls and safeguards, particularly around areas of operations and IT. The following should be considered by asset managers as part of the SOC 1 reports: • Sarbanes-Oxley legislation does not mandate the issuance of the SOC 1 report; however, Sections 302 and 404, in particular, have increased the awareness and scrutiny of the design and operating effectiveness of internal controls. • Recent industry and regulatory events are requiring greater awareness over the control environment and controls in place to manage risk and adopt new compliance procedures (i.e., Title IV of the Dodd-Frank Wall Street Reform and Consumer Protection Act). • An increasing number of organizations are outsourcing key components of their operations such as the IT, fund accounting, and custodian functions. • Increased expectations of asset managers to have a SOC 1 examination and, in some cases, other reports based on various attestation standards (AT 101, AT 601, etc.) are being completed for competitive advantage. GLOBAL TRENDS As organizations expand where they do business and with whom, the need to obtain assurance over controls has become a global issue. The International Accounting and Auditing Standards Board developed a global standard for service organizations, International Standard on Assurance Engagements (ISAE) 3402. ISAE 3402 can often be issued with minimal effort if a SOC 1 is already being performed. If the service organization and user organization are domiciled in the same country then consider using the local standard. If the service organization and/or the user organization are domiciled in different countries then consider using international standards. The service organization should consult with their user organizations to determine what standards will be appropriate.
  • 7. 3 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) SERVICE ORGANIZATION RESPONSIBILITIES PRIMARY RESPONSIBILITIES: • Defining the scope of the engagement (i.g., services, functional areas, application systems) • Determining the type of engagement to be performed (Type 1 or Type 2) • Determining “as of date” for a Type 1 or the period to be covered by the report for a Type 2 • Determining whether the functions and related controls of any subservice organizations will be included or “carved out” of (i.e., excluded from) the description • Selecting the criteria for the description of the system • Preparing a description of controls that is fairly presented (complete and accurate), including disclosing significant changes in controls in the description of controls since the later of the date of the last report or within the last 12 months • Preparing management’s written assertion • Identifying control objectives (unless established by a third party) • Assessing the design and operating effectiveness of internal controls and include a complete and accurate description of control activities • Identifying complementary controls (i.e., “user controls”) that a user organization should have in place • Including “other information” provided (i.g., business continuity planning), if applicable • Disclosing any fraud, illegal acts, or uncorrected errors; design deficiencies in controls; test of operating effectiveness deficiencies; and subsequent events in which management is aware that would have a significant effect on a user organization • Tailoring and obtaining appropriate signatures on management’s representation letter • Reviewing and editing the final draft of the SOC 1 report • Controlling the distribution of the SOC 1 report SECONDARY RESPONSIBILITIES: • Identify project coordinator and key contacts • Assist the service auditor in determining logistical requirements for testing such as access to system(s), reports and documentation SERVICE AUDITOR RESPONSIBILITIES PRIMARY RESPONSIBILITIES: • Planning • Obtaining and evaluating evidence about whether the description of the service organization’s system is fairly presented • Evaluating whether control objectives relate to internal controls over financial reporting
  • 8. 4 ASSET MANAGEMENT GROUP • Obtaining and evaluating evidence regarding the suitability of the design of the controls • Obtaining and evaluating evidence regarding the operating effectiveness of controls in a Type 2 engagement • Determining which controls to test • Designing and performing tests of controls • Using the work of the internal audit function, if applicable • Evaluating the results of the tests of controls • Describing tests of controls and the results of tests • Performing procedures to address complementary controls that a user organization should have in place • Disclaiming an opinion on “other information” provided by the service organization, if applicable • Performing procedures to address any instances of fraud, illegal acts or uncorrected errors; design deficiencies in controls; test operating effectiveness deficiencies; and subsequent events in which management makes the service auditor aware that would have a significant effect on a user organization • Preparing the Service Auditor’s Report (the opinion) • Obtaining written representations SECONDARY RESPONSIBILITIES: • Meet with service organization to finalize scope, specific objectives to be accomplished by examination, and responsibilities, and schedule field work • Finalize engagement work plan and schedule staff • Discuss findings and recommendations with the service organization FORM AND CONTENT OF SOC 1 TYPE 1 AND TYPE 2 REPORTS There is no rigid standard proposed by AICPA guidance with regards to the organization of a SOC 1 report; however, leading practices indicate that the report should be organized as follows: Section 1 Independent Service Auditor’s Report (the opinion). Section 2 Management’s assertion and, if applicable, a subservice organization’s management assertion. Section 3 Management’s description of the service organization’s system. Section 4 Management’s control objectives and control activities. Type 2 reports also include the independent service auditor’s tests of controls and results of tests. Section 5 Other information provided by the service organization. This is an optional section and the service auditor does not opine on such information. Content typically includes information related to the service organization’s disaster recovery plan, compliance with other regulatory standards or management responses to testing exceptions.
  • 9. 5 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) SOC 1 Type 1 SOC 1 Type 2 Reports on controls placed in operation Reports on controls placed in operation and tests of operating effectiveness • Report is as of a point in time (e.g., as of 12/31/201X) • Opinion rendered related to the fair presentation of the description • Opinion rendered related to the suitability of the design of the controls • No opinion rendered related to the operating effectiveness of the controls • Not considered useful for purposes of reliance by user auditors • Not used as a basis for reducing the assessment of the control risk below the maximum • Generally performed for the first year a service organization pursues a SOC 1 report • Report covers a period of time, generally between six and 12 months • Opinion rendered related to the fair presentation of the description • Opinion rendered related to the suitability of the design of the controls • Opinion rendered related to the operating effectiveness of the controls • May provide user auditors with a basis for reducing assessment of control risk below the maximum • Requires more internal and external effort • Identifies instances of noncompliance of the stated control activity For additional guidance regarding the Independent Service Auditor Reports for Type 1 and Type 2 reports, see the following: Guide for Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (2013) – Chapter 2 DEFINING THE DESCRIPTION OF CONTROLS The service auditor can assist in writing the description of controls; however, the service organization must take responsibility for the completeness, accuracy and method of presentation. The description should provide information about the service organization’s internal control that is relevant to the user organization’s internal control over financial reporting. At a minimum, the description of controls should include the following: • Aspects of the service organization’s control environment, risk assessment, information and communication and monitoring that may affect the services provided to the user organization as it relates to an audit of financial statements • Control objectives, related controls, and user control considerations pertaining to operations and general computer controls • Changes to the controls since the later of the date of the last report or within the last 12 months
  • 10. 6 ASSET MANAGEMENT GROUP ASSET MANAGER SCOPE Areas relevant to an asset manager are categorized as one of the following as it relates to the scope of an asset manager SOC 1: Baseline: This area is relevant to a user organization’s internal control as it relates to internal controls over financial reporting and is common to the scope of SOC 1 issued by asset managers. Not Baseline: This area is not relevant to a user organization’s internal control as it relates to internal controls over financial reporting and is not common to the scope of SOC 1 issued by asset managers. Other Area to Consider: This area is not common to the scope of SOC 1 issued by asset managers, but may be considered for inclusion in scope. “Baseline” areas, “Not Baseline” areas, and “Other Areas to Consider” for an asset manager SOC 1 are depicted on the following pages as it relates to: • Control environment • Operations • General computer controls ASSET MANAGER SCOPE: CONTROL ENVIRONMENT Baseline Not Baseline • Integrity and ethical values • Commitment to competence • Board of directors or audit committee participation • Management philosophy and operating style • Organizational structure • Assignment of authority and responsibility • HR policies and procedures • Risk assessment • Information and communication • Monitoring Privacy Policies and Procedures In General: • The Control Environment is the foundation for all other aspects of internal control and, therefore, it is essential that the service organization describe the appropriate information in the description of controls based on what is relevant to the user organizations. • The service auditor is also responsible for evaluating/ testing the information included in the control environment description. • Management is not precluded from presenting relevant aspects of its control environment in the form of a control objective with applicable controls listed.
  • 11. 7 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) ASSET MANAGER SCOPE: OPERATIONS Baseline Not Baseline/Other Areas to Consider • New Account Set Up and Account Maintenance • New Security Set Up and Maintenance • Contributions / Distributions • Trading -- Trade Processing -- Client Investment Guideline and Restriction Compliance -- Trade Allocation -- Trade Error and Investment Guideline Breaches -- Trade Settlement Procedures • Investment Income • Valuation (Securities, Foreign Exchange Rates, and Derivatives) • Corporate Actions • Reconciliation (Cash and Position) • Client Reporting Not Baseline • Investment Adviser Registration, Form ADV, and Delivery Requirements Policies and Procedures • Section 13 filings under the Securities Exchange Act of 1934 Policies and Procedures • Advertising and Marketing Investment Services • Insider Trading • Portfolio Pumping and Window Dressing • Client Complaint Processing • Product Development • Cross Trading • Managing Proprietary Accounts • Cash Referral Fee Agreement • Account Performance • Laws and Regulations • IRS Rules Other Areas to Consider • Fee Calculation and Billing • Custody or Possession of Client Assets (depends on if applicable) • Brokerage Allocation (includes Best Execution, Affiliated Trading, Soft Dollars, Directed Brokerage and IPO or New Issues Allocation) • Broker Selection and Retention • Trading Aggregation • Proxy Voting • Personal Trading • AML Review
  • 12. 8 ASSET MANAGEMENT GROUP ASSET MANAGER SCOPE: GENERAL COMPUTER CONTROLS Baseline Not Baseline • Information Systems Operations -- Job scheduling -- Record backup -- Incident management • Information Security -- Logical security -- Physical security -- Environmental protection • Change Management -- Application changes -- System software changes -- Network changes -- Hardware changes Businesses Continuity Planning or Disaster Recovery* * Note: In accordance with AICPA guidance, a service auditor cannot form an opinion on the design of controls or operating effectiveness over business conti- nuity planning or disaster recovery. DETERMINING THE CONTROL OBJECTIVES • The control objectives should be determined by the service organization, while taking into consideration the needs of the service organization’s users and internal control over financial reporting. However, the service auditor may assist the service organization with defining appropriate control objectives in the following ways: -- By providing examples of control objectives that may be relevant to user organizations as it relates to internal controls over financial reporting -- By reviewing draft control objectives and providing feedback as to their appropriateness and adequacy • The control objectives may be designated by the service organization or outside parties such as regulatory authorities, a user group or others. • If the control objectives are incomplete, the service auditor may qualify the SOC 1 report. • Control objectives help the user auditor determine how the service organization’s controls affect the user organization’s financial statement assertions (i.e., validity, completeness, cutoff, recording, valuation and presentation). • The service organization should establish control objectives that it believes relate to its users’ financial statement assertions and provide a framework for the user auditors to assess control risk as a whole. • The service organization can modify control objectives after the start of the engagement (may need to disclose this in the report in an explanatory paragraph). However, the service organization cannot modify a control objective to “get out” of a control objective, which would be considered significant by user organizations and their auditors, or if there is a significant deficiency in either the design or operating effectiveness of the controls.
  • 13. 9 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) DETERMINING THE CONTROL OBJECTIVES — ELEMENTS OF CONTROL OBJECTIVES The following categories may assist in considering each element within the control objectives that would affect the user organization’s financial statement assertions as defined in AU Section 326: Assertions in a User Organization’s Financial Statements Potential Errors Existence or occurrence • Potential existence or occurrence errors relate to (1) assets, liabilities and ownership interests existence as of the statement date and balances that have a real-world counterpart (i.e., customers, suppliers, employees, banks); (2) access to assets and critical documents that control their movement are suitably restricted to authorized personnel; or (3) transactions and events that have been recorded actually occurred and pertain to the entity. Completeness • Potential completeness errors relate to (1) all transactions and events that should have been recorded have been recorded, and (2) transactions and events have been recorded in the proper period. Rights and obligations • Potential rights and obligations errors relate to (1) the entity holds the rights to the assets, (2) transactions are executed in accordance with management’s general and specific authority, and (3) liabilities recorded are the obligation of the entity. Valuation or allocation • Potential valuation or allocation errors relate to (1) amounts based on estimates and judgments are in accordance with U.S. GAAP, (2) costs are allocated from the balance sheet to the income statement in the proper period, or (3) amounts recorded are mathematically accurate. Presentation and disclosure • Potential presentation and disclosure errors relate to (1) transactions and events recorded in the proper accounts, and (2) disclosure-driven financial information is appropriately described and understandable to users.
  • 14. 10 ASSET MANAGEMENT GROUP BASELINE CONTROL OBJECTIVES Area Baseline Control Objectives New Account Setup and Maintenance Controls provide reasonable assurance that documentation for the opening and modification of client accounts is received, authenticated, and established accurately, completely, and in a timely manner on the applicable system. Trading/Settlement • Allocation • Processing • Settlement Controls provide reasonable assurance that trades are properly authorized, settled, and recorded in accordance with portfolio guidelines and relevant account restrictions, accurately, completely, and in a timely manner in the client account. Controls provide reasonable assurance that block orders are allocated to client accounts according to management established methodologies, and allocations are approved by management. Contributions/Distributions Controls provide reasonable assurance that contributions and distributions are authorized by the client and processed and recorded accurately, completely, and in a timely manner in the client account. New Security Setup and Maintenance Controls provide reasonable assurance that new securities and changes to existing securities are authorized and processed accurately, completely, and in a timely manner. Valuation (Securities, Foreign Exchange Rates, and Derivatives) Controls provide reasonable assurance that valuation, including securities, foreign exchange rates, and derivatives, is received from an authorized source and updated accurately, completely, and in a timely manner. Investment Income Controls provide reasonable assurance that interest and dividend income information is received from an authorized source and processed accurately, completely, and in a timely manner in the client account. Corporate Actions Controls provide reasonable assurance that corporate actions are received from an authorized source and processed accurately, completely, and in a timely manner in the client account. Reconciliation Controls provide reasonable assurance that cash and security positions reflected in the portfolio accounting system reconcile to actual positions and balances held by custodians, and discrepancies are identified, researched, and resolved in a timely manner.
  • 15. 11 GUIDE TO SERVICE ORGANIZATION CONTROLS (SOC 1) Area Baseline Control Objectives Client Reporting Controls provide reasonable assurance that account statements reflect the correct holdings and market value and are provided to clients in a complete and timely manner. Information System Operations Controls provide reasonable assurance that production programs needed to process batch and online transactions are valid and executed and monitored timely and to normal completion. Controls provide reasonable assurance that data is backed up, retained and retrievable. Controls provide reasonable assurance that processing incidents are identified, tracked, recorded, and resolved accurately, completely, and in a timely manner. Information System Security Controls provide reasonable assurance that logical security tools and tech- niques are configured, administered, and monitored to enable restriction of access to programs, data, and other information resources. Controls provide reasonable assurance that physical access restrictions are implemented and administered to ensure that only authorized individuals have ability to access or use information resources. Controls provide reasonable assurance that information resources are protected against environmental hazards and related damage. Information System Change Management Modifications and upgrades to applications, the network, hardware, and systems software are authorized, approved by management, tested, and imple- mented accurately, completely, and in a timely manner.
  • 16. 12 ASSET MANAGEMENT GROUP SOC 1 KEY TERMS User Organization The entity that has engaged a service organization and whose financial state- ments are being audited. User Auditor The auditor who reports on the financial statements of the user organization. Service Organization The entity (or segment of an entity) that provides services to the user organiza- tion that is part of the user organization’s information system. Service Auditor The auditor who reports on controls of a service organization that may be rele- vant to a user organization’s internal control as it relates to an audit of financial statements. Subservice Organization An entity that performs functions or processing for the service organization that may be part of the user organization’s information system as it relates to an audit of financial statements. Inclusive Method of Reporting Method of reporting that allows the description of controls to include controls in place at the subservice organizations. Carve-out Method of Reporting Method of reporting that does not allow the description of controls to include controls in place at the subservice organizations. SOC 1 GUIDANCE RESOURCES AICPA LITERATURE — AUDIT AND ACCOUNTING GUIDES: Service organizations: applying SSAE 16: • Issued in 2011 and most recently updated in 2013 • Based on the professional standards for performing a SOC 1 (AT 801) • Prepared by the AICPA SOC Task Force • Useful when preparing and/or utilizing a SOC 1 report • Provides guidance in applying generally accepted auditing standards in audits of financial statements of entities that use service organizations and in service auditors’ engagements • Information provided could be used to help determine the relevant business activities/control objectives to include in SOC 1 Industry guides: • Various industry guides published by AICPA, including employee benefits, investment companies, and brokers and dealers SEC LITERATURE — NEW SEC RULES, REPORTS AND STUDIES SEC’s Management Report on Internal Controls over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports